---
layout: docs
page_title: Storing the Snapshot Agent Config in Vault
description: >-
  Configuring the Consul Helm chart to use a snapshot agent config stored in Vault.
---

# Storing the Snapshot Agent Config in Vault

This topic describes how to configure the Consul Helm chart to use a snapshot agent config stored in Vault.
## Overview
To use an ACL replication token stored in Vault, follow the steps outlined in the [Data Integration](/consul/docs/k8s/deployment-configurations/vault/data-integration) section.

Complete the following steps once:
  1. Store the secret in Vault.
  1. Create a Vault policy that authorizes the desired level of access to the secret.

Repeat the following steps for each datacenter in the cluster:
  1. Create Vault Kubernetes auth roles that link the policy to each Consul on Kubernetes service account that requires access.
  1. Update the Consul on Kubernetes helm chart.

## Prerequisites
Before you set up data integration between Vault and Consul on Kubernetes, complete the following prerequisites:
1. Read and completed the steps in the [Systems Integration](/consul/docs/k8s/deployment-configurations/vault/systems-integration) section of [Vault as a Secrets Backend](/consul/docs/k8s/deployment-configurations/vault).
2. Read the [Data Integration Overview](/consul/docs/k8s/deployment-configurations/vault/data-integration) section of [Vault as a Secrets Backend](/consul/docs/k8s/deployment-configurations/vault).

## Store the Secret in Vault

First, store the snapshot agent config in Vault:

```shell-session
$ vault kv put consul-kv/secret/snapshot-agent-config key="<snapshot agent JSON config>"
```

## Create Vault policy

Next, you will need to create a policy that allows read access to this secret.

The path to the secret referenced in the `path` resource is the same values that you will configure in the  `client.snapshotAgent.configSecret.secretName` Helm configuration (refer to [Update Consul on Kubernetes Helm chart](#update-consul-on-kubernetes-helm-chart)).

<CodeBlockConfig filename="snapshot-agent-config-policy.hcl">

```HCL
path "consul-kv/data/secret/snapshot-agent-config" {
  capabilities = ["read"]
}
```

</CodeBlockConfig>

Apply the Vault policy by issuing the `vault policy write` CLI command:

```shell-session
$ vault policy write snapshot-agent-config-policy snapshot-agent-config-policy.hcl
```

## Create Vault Authorization Roles for Consul

Next, add this policy to your Consul server Kubernetes auth role:

```shell-session
$ vault write auth/kubernetes/role/consul-server \
    bound_service_account_names=<Consul server service account> \
    bound_service_account_namespaces=<Consul installation namespace> \
    policies=snapshot-agent-config-policy \
    ttl=1h
```
Note that if you have other policies associated
with the Consul server service account that are not in the example, you need to include those as well.

To find out the service account name of the Consul snapshot agent,
you can run the following `helm template` command with your Consul on Kubernetes values file:

```shell-session
$ helm template --release-name ${RELEASE_NAME} -s templates/server-serviceaccount.yaml hashicorp/consul -f values.yaml
```

## Update Consul on Kubernetes Helm chart

Now that you have configured Vault, you can configure the Consul Helm chart to
use the snapshot agent configuration in Vault:

<CodeBlockConfig filename="values.yaml">

```yaml
global:
  secretsBackend:
    vault:
      enabled: true
      consulServerRole: consul-server
client:
  snapshotAgent:
    configSecret:
      secretName: consul-kv/data/secret/snapshot-agent-config
      secretKey: key
```

</CodeBlockConfig>

Note that `client.snapshotAgent.configSecret.secretName` is the path of the secret in Vault.
This should be the same path as the one you included in your Vault policy.
`client.snapshotAgent.configSecret.secretKey` is the key inside the secret data. This should be the same
as the key you passed when creating the snapshot agent config secret in Vault.
